In the wake of the disclosure of the National Security Agency’s mass digital surveillance program, a group of Austrian students have filed a series of formal complaints with a number of European data protection agencies. The case could become the first legal proceeding challenging disclosure of non-American data to the American government on the basis of alleged violations of European Union data protection law.

The students filing the complaints are all members of an advocacy organization called "Europe vs. Facebook," which for over two years has been encouraging Facebook users worldwide to request copies of whatever data Facebook holds on each of them. Ars profiled this effort, and its leader, Max Schrems, in December 2012.

“[The goal of this effort] is to see if it is legal for a European Union company to forward data to the National Security Agency in bulk,” Schrems told Ars. “[and] to get more information, because they will have to disclose stuff in a preceding here. The US gag orders are not valid here. Both might be another puzzle piece for the good of mankind.”

Under European Union law, Facebook is required to comply with user data requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

Schrems and his colleagues now are hoping to use European law to find out what has been done with their data held by various digital services, including Facebook (PDF), Apple (PDF), Microsoft (PDF), Skype (PDF), and Yahoo (PDF), all of which were reported to have complied to some degree with the NSA’s PRISM surveillance program. These formal complaints (PDF) were filed with the relevant data protection authorities (DPA) in Ireland, Luxembourg, and Germany on Wednesday.

Enlarge/ Max Schrems, 25, is leading a group called Europe vs. Facebook to force the social network to comply with EU data protection law.

“I kindly ask you to investigate the following complaint”

The documents ask the DPA in each country to come to a “formal decision,” which is the first step in the legal process—if one of the parties is unhappy with the outcome, he or she can appeal to a court of law.

The Austrians are using a fundamental idea of European Union data protection law, which dictates that anyone interacting with an EU company or government agency can, for any reason, request all the data that entity has about oneself, and the company or government agency must comply. (American law has no equivalent principle, largely leaving privacy and data protection issues to be sorted out in contract law between individuals and corporations.) The idea is summed up in Section V, Article 12 of the 1995 EU directive "On the protection of individuals with regard to the processing of personal data and on the free movement of such data."

As Schrems writes in his own letter to the Irish DPA with regards to his own Facebook account:

This is a formal complaint against “Facebook Ireland Ltd” under section 10 of the Irish DPA and at the same time also a request for a formal decision by the DPC. There is probable cause that “Facebook Ireland Ltd” is breaking the Irish DPA and the underlying Directive 94/46/EG and I kindly ask you to investigate the following complaint, inform me about your findings and make a legally binding decision after conducting a fair trial.

. . .

As mentioned above my data is processed in the US by “Facebook Inc”. This means that thereby “Facebook Ireland Ltd” is transferring my data to a third country without an “adequate level of protection”. Correspondingly Article 25 of Directive 95/26/EG and section 11 DPA apply to such transfers. A transfer to a third country without an adequate level of protection is only allowed under Article 25 of Directive 95/46/ if the fundamental rights and the right to data protection of the data subjects enjoy adequate factual and legal protecting in the third country.

The exceptions under section 11(4) DPA clearly do not apply. “Facebook Ireland Ltd” might argue that users have consented to such transfer, but users have surely not given an informed consent to the processing of their personal data in the US. “Facebook Ireland Ltd” has not informed its users about mass access and about the cooperation with the NSA. To the contrary, “Facebook Inc” and “Facebook Ireland Ltd” is denying any such cooperation. Therefore there cannot be any informed consent.

. . .

In particular the DPC should investigate if a blanket exception for “national security” or “statutory law” of the US can be in line with Directive 95/46/EC and the users’ fundamental rights under the European Union treaties. Until today it was primarily held that only the “national security” and laws of EU member states – and not any third country – can create exceptions for data processing. Otherwise the DPC would have to clarify in which case the “national security” or the law of a foreign country can be used to waive EU data protection laws.

. . .

EU citizens are generally exempt from constitutional protection of their fundamental rights, since the US is still following the idea of “civil rights” (only applying to US citizens and people inside of the US) instead of “human rights”. A “mass confiscation” of the EU citizens’ data is therefore not covered by protections under the US constitution, but instead expressly allowed under § 1881a U.S.C. (also known as 702 FISA). There is no effective judicial oversight, because only the service provider – not the data subjects – can take legal action. The relevant FISA court forms its decisions behind closed doors and it has been reported that it has so far almost never refused any requested access to data. In addition, many other laws like the “Patriot Act” allow access to the data of European citizens in a way that is hardly in line with European fundamental rights.

Ars asked Microsoft, Apple, Yahoo, and Facebook for their reaction, but they did not immediately respond. We will update this story when we have more information.

UPDATE 9:55am CT: Eoin O'Dell, a law professor at Trinity College Dublin, told Ars that Schrems et al's legal arguments are "potentially very strong," pointing out that others have already raised similar prospects.

"As they move up through the courts' hierarchy and reach the Court of Justice of the European Union and the European Court of Human Rights, the arguments get stronger," he said, noting that the group still has a ways to go.

"Many of the defenses will raise jurisdictional issues, to the effect that the named defendants aren't the proper ones: e.g., it's not Facebook Europe that gave the NSA access, it's Facebook US, and the Irish regulators have no jurisdiction over Facebook US," he concluded.

UPDATE 10:36am CT: Dominick Boecker, a German IT lawyer, told Ars: "As [e-mails] were copied (and presumably read) German criminal law is applicable and Sect 202a, 202b. The NSA guys should better not set foot on German soil."

"[With respect] to the actual filings: tech companies doing business in the EU have to obey European and their local law," he added. "These rules can't simply be overruled by US-law (and vice versa). The tech companies are in a dilemma: they (presumably) have to obey US law and hand [over] the data to the NSA and they have to obey European (local) law and must deny handing out the data."

Cyrus Farivar
Cyrus is the Senior Business Editor at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is due out in May 2018 from Melville House. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

44 Reader Comments

I love the idea that in order to exploit the tax loophole/benefits of being nominally based in Ireland, Facebook, google and co. can be held to account by the EU data protection rules.

Does anyone know how much the EU has in the way of punitive/financial teeth if the rules are shown to have been breached? Could it end up being more costly (theoretically at least - there's usually some kind of deal struck) than the sum of tax they allegedly avoided in the first place?

I assume the companies are still bound by US law either way. The companies may be EU based but the senior management are still in California. It's unlikely the EU guys have a clue as to what happens on servers in the US. I mean, the EU has known about the risks for a long time as has everyone else: http://euobserver.com/justice/118857. I guess we're lucky there's now sufficient confirmation that perhaps the EU has no choice but to take legal action and finally mandate that some of the more sensitive data not needed for social networking content (most of which isn't necessarily private anyway), be retained within an EU jurisdiction and not exported to the US where EU citizens have no legal standing.

I love the idea that in order to exploit the tax loophole/benefits of being nominally based in Ireland, Facebook, google and co. can be held to account by the EU data protection rules.

Does anyone know how much the EU has in the way of punitive/financial teeth if the rules are shown to have been breached? Could it end up eing more costly (theoretically at least - there's usually some kind of deal struck) than the sum of tax they allegedly avoided in the first place?

So, the US may be correct in saying spying on foreigners is within the law...just not everyone's law.

I wonder if certain US politicians or NSA employees would be subject to extradition for breaking the laws of states outside the US? Or, more probably, not allowed to travel to certain other countries for having broken their laws while "abroad" in the US?

While I think this is an interesting move I'm sceptical of it having any positive effect; EU countries that comply with NSA bulk-data gathering requests (e.g. UK) aren't likely to stop because the Data Protection Commissioner (that they appointed) writes them a strongly worded letter - or even should the top court order it. On the one hand there's probably some kind of reciprocal arrangement, and on the other hand there's almost certainly going to be diplomatic / economic pressure from the US to maintain the status quo. The biggest kid in the playground usually gets what he wants.

Quote:

since the US is still following the idea of “civil rights” (only applying to US citizens and people inside of the US) instead of “human rights”

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

If an EU person's data or metadata originates in the EU and its destination is in the EU, does the US break EU law by copying and storing that data if it passes through US routers? If so, wouldn't there be consequences for breaking those laws?

If not illegal, it certainly makes the US look pretty bad for vacuuming up data-in-transit having nothing at all to do with the US save a few router hops.

While I think this is an interesting move I'm sceptical of it having any positive effect; EU countries that comply with NSA bulk-data gathering requests (e.g. UK) aren't likely to stop because the Data Protection Commissioner (that they appointed) writes them a strongly worded letter - or even should the top court order it. On the one hand there's probably some kind of reciprocal arrangement, and on the other hand there's almost certainly going to be diplomatic / economic pressure from the US to maintain the status quo. The biggest kid in the playground usually gets what he wants.

Quote:

since the US is still following the idea of “civil rights” (only applying to US citizens and people inside of the US) instead of “human rights”

Thought that this was worth re-quoting.

I don't think the impact of this will be fines for Facebook. Really, I don't see that Facebook is to blame in this case. The impact is that it may force Facebook to reveal information about the secret surveillance program. That would be interesting.

If an EU person's data or metadata originates in the EU and its destination is in the EU, does the US break EU law by copying and storing that data if it passes through US routers? If so, wouldn't there be consequences for breaking those laws?

If not illegal, it certainly makes the US look pretty bad for vacuuming up data-in-transit having nothing at all to do with the US save a few router hops.

That's where the internet can get hairy, I think. The data in question is intended for "Facebook" (or whomever), which is by nature a multinational entity, including the US.

While I _hope_ that the EU can reign in our administration and various governmental organs, I suspect that action against the various companies by the EU will be fairly minimal because the data necessarily must also exist in the US, was requested in the US, from US companies. (Bear in mind that for some of these companies, hundreds of millions in fine wouldn't make a significant dent.)

If an EU person's data or metadata originates in the EU and its destination is in the EU, does the US break EU law by copying and storing that data if it passes through US routers? If so, wouldn't there be consequences for breaking those laws?

If not illegal, it certainly makes the US look pretty bad for vacuuming up data-in-transit having nothing at all to do with the US save a few router hops.

That's where the internet can get hairy, I think. The data in question is intended for "Facebook" (or whomever), which is by nature a multinational entity, including the US.

While I _hope_ that the EU can reign in our administration and various governmental organs, I suspect that action against the various companies by the EU will be fairly minimal because the data necessarily must also exist in the US, was requested in the US, from US companies. (Bear in mind that for some of these companies, hundreds of millions in fine wouldn't make a significant dent.)

Agreed there wouldn't be much of a financial dent, but I think this whole idea makes Facebook and others very nervous. If they get nervous they'll start calling up the Congressmen they've bought for help. Hopefully that'll spur some change.

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

I already see storage companies advertising all non-US-based storage. I suspect other services will follow suit. Companies like Facebook may end up severing ties with their parent companies for operation outside of the States. How that would work in terms of sharing (selling) data across platforms is a detail to be worked out.

That said, I'm not sure how one can route information around the 'Net and ensure that you don't go through routers in the US. I suspect the NSA is just as happy to gobble data in-flight as at rest.

I love the idea that in order to exploit the tax loophole/benefits of being nominally based in Ireland, Facebook, google and co. can be held to account by the EU data protection rules.

Does anyone know how much the EU has in the way of punitive/financial teeth if the rules are shown to have been breached? Could it end up eing more costly (theoretically at least - there's usually some kind of deal struck) than the sum of tax they allegedly avoided in the first place?

I love the idea that in order to exploit the tax loophole/benefits of being nominally based in Ireland, Facebook, google and co. can be held to account by the EU data protection rules.

Does anyone know how much the EU has in the way of punitive/financial teeth if the rules are shown to have been breached? Could it end up eing more costly (theoretically at least - there's usually some kind of deal struck) than the sum of tax they allegedly avoided in the first place?

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

The short answer is yes. Also I highly doubt that anyone is surprised the NSA was spying on us. It is pretty much their job or rather has become their job. Its just that we didn't know the extent of the spying and I suspect it hardly stops at just what we came to know recently.

I guess most people just don't care all that much because they really haven't done anything terribly bad with the gathered data. If there was more proof of severe misuse, then maybe there might be more of an uproar.

This whole complaint appears to be based on the assumption that the NSA has warrantless and unhindered access to Facebook members' personal data, which I've only seen supported by an interpretation of the vague use of the word direct in a classified document. No details on how the data are accessed were given. No details on the process to gain access were given. Snowden's leaks only give enough details to allow people to assume the worst without evidence.

Of course for the NSA to have such direct access they would have to have direct access to all the politicians who are providing oversight and authorization to the NSA. All those politicians would have to be blatantly ignoring the US Constitution to a level even they would blanch at, and without it being in the immediate aftermath of something like 9/11 during which some poor decisions were definitely made.

This complain will go no where simply because cause their is no evidence that Facebook has mishandled personal data. Conspiracy theories aren't evidence. Vague second hand reports aren't evidence.

While gag orders put in place by US courts aren't binding on European courts, it is doubtful that people in the European branch of Facebook know details of how the program works given that it was classified and that classified data requires the proper clearances, plus a direct need to know, and is generally restricted to US persons. So unless they have evidence that Facebook in Europe had specific knowledge that Facebook US was handling data in ways that violated US law, or the end user agreement, even if Facebook US didn't provide adequate protections, the legally distinct Facebook in Europe isn't at fault.

No real evidence or harm or that Facebook in Europe should have been aware of any bad behavior even if it did occur.

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

If by whipped you mean pussy-whipped, then yes. Yes we are.

The Congressional Committees are probably looking at what these programs actually do, what authorizations they must get before accessing data, and how few people's data is actually gathered and trying to reconcile with that with the conspiracy theories in the media. That's probably rendering them speechless. If not the fact that they can't tell anyone how the programs actually operate is probably keeping them quiet. After all these programs are classified. If makes if very difficult for the government to defend itself against these kind of conspiracy theories where people take a few facts and then extrapolate it into a broad program where everything everyone does is being watched.

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

The ACLU (and EFF?) have started legal action. Google it.

As for your complaint regarding the news...what do you expect? Whether you supported Obama or not, you have to have noticed that the main news organizations often give his administration a pass/benefit of the doubt.

Although, with recent allegations of spying on the media having come to light, that might change.

I don't think the impact of this will be fines for Facebook. Really, I don't see that Facebook is to blame in this case. The impact is that it may force Facebook to reveal information about the secret surveillance program. That would be interesting.

Like others, though, I do love the idea of a penalty for off-shoring.

I'm with you. I think the best thing that will come out of this is more transparency. The Patriot act pretty much forbids facts of such cases from being revealed by anyone with knowledge of them. But in the EU these cases can be pursued openly...and the firms will be required to reveal what they did in order to adhere to EU laws.

The short answer is yes. Also I highly doubt that anyone is surprised the NSA was spying on us. It is pretty much their job or rather has become their job. Its just that we didn't know the extent of the spying and I suspect it hardly stops at just what we came to know recently.

I guess most people just don't care all that much because they really haven't done anything terribly bad with the gathered data. If there was more proof of severe misuse, then maybe there might be more of an uproar.

I agree. Until / unless there comes to light a sympathetic "victim" who has been imprisoned / harmed due to NSA overreach / abuse of powers....the general public will assume this is a victim-less action.

Under European Union law, Facebook is required to comply with user data requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

Petard: hoisted.

It's always the tax-avoidance schemes that will get you into trouble. If we learned nothing else from Al Capone, we should have learned that.

Where are the United States action committees? I thought by now the news would be a-buzz about non-profits and committees taking the NSA to task and asking for an investigation, trials, etc, etc. Instead, the only news I see is about how the US is going after Snowden. Are we (US Citizens) really this whipped?

If by whipped you mean pussy-whipped, then yes. Yes we are.

The Congressional Committees are probably looking at what these programs actually do, what authorizations they must get before accessing data, and how few people's data is actually gathered and trying to reconcile with that with the conspiracy theories in the media. That's probably rendering them speechless. If not the fact that they can't tell anyone how the programs actually operate is probably keeping them quiet. After all these programs are classified. If makes if very difficult for the government to defend itself against these kind of conspiracy theories where people take a few facts and then extrapolate it into a broad program where everything everyone does is being watched.

Haha...wow. So, Patriot Act prevents those involved in any of these cases from even discussing them or acknowledging that they're involved, but it's the GOVERNMENT that can't defend itself.

Just wow. I assume when the trenchcoats show up at your house and say "Hi, we're from the government, we're here to help you" you willingly do what they say.

I already see storage companies advertising all non-US-based storage. I suspect other services will follow suit. Companies like Facebook may end up severing ties with their parent companies for operation outside of the States. How that would work in terms of sharing (selling) data across platforms is a detail to be worked out.

That said, I'm not sure how one can route information around the 'Net and ensure that you don't go through routers in the US. I suspect the NSA is just as happy to gobble data in-flight as at rest.

Actually, starting yesterday, a local radio station has started advertising 100% Canadian web hosting. It made me wonder if it was in response to the recent leaks.

So, if US law applies to persons running websites outside of the US, who have intent on doing business in the US, and the US can file charges against people running said business, freeze their accounts etc(Kim Dotcom/MU), does it not also follow that US companies doing business in the EU are then subject to EU laws and persons responsible can then be extradited to the EU to face EU charges of violating the personal privacy of millions of persons in the EU?

I love the idea that in order to exploit the tax loophole/benefits of being nominally based in Ireland, Facebook, google and co. can be held to account by the EU data protection rules.

Does anyone know how much the EU has in the way of punitive/financial teeth if the rules are shown to have been breached? Could it end up being more costly (theoretically at least - there's usually some kind of deal struck) than the sum of tax they allegedly avoided in the first place?

To clarify some things:Technically, it is not European law, but an European "directive" which has to be interpreted in national law. As all those companies are based in Ireland, it is the Irish interpretation of the directive that counts.The ECJ (European Court of Justice, not to be confused with the General Court or the European Court of Human Rights) will not directly rule on this, but only (probably) advise the Irish court, as it is within Irish jurisdiction. Those decisions are binding however and could range from fines to a ban on European operations (though that is unlikely). So there is much more at stake for those companies than only fines.The Microsoft (and other) fines are something entirely different, being the result of an action brought by the European commission in a European Court (ECJ), not by an individual in a local court.(Yes, the EU is complicated. And the judicial system even more.)

So, if US law applies to persons running websites outside of the US, who have intent on doing business in the US, and the US can file charges against people running said business, freeze their accounts etc(Kim Dotcom/MU), does it not also follow that US companies doing business in the EU are then subject to EU laws and persons responsible can then be extradited to the EU to face EU charges of violating the personal privacy of millions of persons in the EU?

... and extradition of NSA operatives?!

This is going to be interesting to see how US is going to defend them breaking the EU law, and how they are going to do it without shooting themselves in the foot when they try to export US law all over internet.

This whole complaint appears to be based on the assumption that the NSA has warrantless and unhindered access to Facebook members' personal data, which I've only seen supported by an interpretation of the vague use of the word direct in a classified document. No details on how the data are accessed were given. No details on the process to gain access were given. Snowden's leaks only give enough details to allow people to assume the worst without evidence.

Of course for the NSA to have such direct access they would have to have direct access to all the politicians who are providing oversight and authorization to the NSA. All those politicians would have to be blatantly ignoring the US Constitution to a level even they would blanch at, and without it being in the immediate aftermath of something like 9/11 during which some poor decisions were definitely made.

This complain will go no where simply because cause their is no evidence that Facebook has mishandled personal data. Conspiracy theories aren't evidence. Vague second hand reports aren't evidence.

While gag orders put in place by US courts aren't binding on European courts, it is doubtful that people in the European branch of Facebook know details of how the program works given that it was classified and that classified data requires the proper clearances, plus a direct need to know, and is generally restricted to US persons. So unless they have evidence that Facebook in Europe had specific knowledge that Facebook US was handling data in ways that violated US law, or the end user agreement, even if Facebook US didn't provide adequate protections, the legally distinct Facebook in Europe isn't at fault.

No real evidence or harm or that Facebook in Europe should have been aware of any bad behavior even if it did occur.

This is going nowhere fast.

I suggest that in your fervour to defend the indefensible you are missing almost ALL of the key points.

The complaints in the various EU jurisdictions will have more impact than you seem to wish to believe. Primarily these complaints will force the data protection authorities to act, and by so doing will in turn put the issue of the widespread potential violations of constitutional rights in Germany, and fundamental rights protected in the EU Charter on Fundamental Rights and Freedoms, firmly on the political agenda. At least in Germany, the federal constitutional court has not been bought and is not the toothless travesty that the US Supreme Court seems to be in respect of defending the constitution. I would, for example be surprised indeed if the German Court will permit the tactic of the DOJ to refuse to answer questions and then to argue that a plaintif cannot establish standing.

For another: The violation of constitutional rights IS a harm, by definition.

PRISM isn't what the media is reporting it as. The government approaching the companies and asking for data maybe happening, and likely is. But this is not what the PRISM program is. And that's why all the companies are saying they are not giving the government direct access to their servers. Because they aren't.

When the government asks for data, the companies give more-or-less only what is required by law, some more so than others.

But, what PRISM is, happens outside of the company's walls. The NSA has fiber optic splitters setup at the routers closest to the company, but outside of the company, and they are storing every single bit to goes into, and comes out of the target. This way, the NSA doesn't have to ask for the data, because it already has it! And this is why the program is call PRISM. It is splitting the fiber optic light.